Zoom has fixed a major vulnerability in its Windows apps that allowed threat actors to escalate privileges remotely.
The company’s offensive team recently found an improper input validation flaw in Zoom Desktop Client for Windows before version 5.16.5, Zoom VDI Client for Windows before version 5.16.10 (excluding 5.14.14 and 5.15.12), Zoom Rooms Client for Windows before version 5.17.0, and Zoom Meeting SDK for Windows before version 5.16.5.
The flaw is tracked as CVE-2024-24691 and carries a severity rating of 9.6 - critical.
Patching the flaws
Although the company did not detail the flaw, the publication speculates that it requires some level of victim interaction in order to be abused, citing the CVSS vector. This interaction, given usual hacking practices, could involve clicking a link, opening a malware-laden email attachment, or something similar.
Zoom has an automatic updater, so the next time you bring up the app, it should update on its own. For those that have disabled automatic updates, here’s a link where you can find the version 5.17.7 for Windows.
In the same advisory, Zoom also announced addressing six additional vulnerabilities, including one that allows privilege escalation through local access, three that allow information disclosure remotely, and one that allows for the denial of service, over the network.
The company advises users to apply the patch as soon as possible to protect their endpoints.
Zoom is a popular cloud-based video conferencing service which companies often use to run remote meetings and calls, education, demonstrations, and similar. It rose to prominence during the Covid-19 pandemic, quickly becoming the most-used application in the world. At one point, it had 300 million daily meeting users.
This also attracted plenty of hackers who saw this as an opportunity to steal sensitive company data, putting the spotlight on patches and quick fixes.
Via BleepingComputer
More from TechRadar Pro
- Zoom has patched a number of security issues
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now